On Tue, Mar 02, 2021 at 03:55:16PM +0000, Nick Hilliard wrote: > Bear in mind that even within the IETF, plenty of people view the entire > HTML email debate as flogging the proverbial dead horse, and when it rolls > around every several months, welcomes it in the same way that you might > welcome an outbreak of cold sores. That can be said of many discussions here, some of which are ongoing. > Looking at this from a different perspective, in the twenty-something years > of discussion since Content-Type: text/html first appeared, have any > actionable and viable suggestions emerged about how to deal with html email, > other than stripping it off in the archived emails? Wearing a security hat, what I would do is strip off all script and img elements, and any element with an href that gets dereferenced automatically. Or maybe pass it through elinks and then turn the references back into HTML links that the user can click on if they really like. > Maybe the people who are upset about html email could form a working group, > take the discussion there and write up an ID with observations and > recommendations for html emails at the ietf? Unlikely. We're a volunteer organization, but the volunteers do get paid to do most of what they do here. A better approach would be to standardize a subset of HTML for email that is secure enough. But I think that would fall on the W3C. Nico --
